I'm trying to secure a VLAN using VACL on a 6509 CatOS 5.4(1) and it doesn't work. I have created a MAC ACL, based on the source host mac and ANY as the destination, example:
set security acl mac test permit host 00-01-02-03-04-05 any
There are 16 ACE's.
I have comitted the ACL and mapped it to a VLAN. As I understand all frames being forwarded in this VLAN will first be checked against the VACL and if theres a match it will be forwarded. But it doesn't work!! A port in the VLAN is connected to another switch and on that switch there are some clients that I want to have access and the rest needs to be denied access. WIth the above config I haven't put my notebook MAC and connecting it to the VLAN in the same VLAN I still have access... Which indicates that the VACL does not work. The VLAN is not routed with the MSFC. I need to use a MAC VACL because of tighter access control.
I haven't used port security because it doesn't support highavailability on redundant supervisors. And VACLs are supported with highavailability.
I have checked the release notes for newer versions and looked in the bug tool and I can't find any issues with MAC VACLs. I know that the CatOS version is quite old but unless there is a specific issue with VACLs or other we can survive on this version.
IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.
So as I understand it, it is not possible to use a MAC ACL as a filter for any kind of traffic except Appletalk, DECnet etc. like you could do with port security? Which I can't use... So I have to use IPs... hmmm. Ok. I'll look for another solution. Thanks
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...